Version 3.4.5 of Eclipse Ditto, released on 17.05.2024
Edit this page

This is a security bugfix release, no new features since 3.4.4 were added.

Changelog

Compared to the latest release 3.4.4, the following changes and bugfixes were added.

Security fixes

Security fix for CVE-2024-5165

The Eclipse Ditto’s Web-UI, the Explorer User Interface, was vulnerable to Cross-Site Scripting (XSS) at multiple input fields.
Affected versions are all Ditto-UI versions starting from when the Ditto-UI was introduced, with Ditto 3.0.0.

This is tracked through CVE https://nvd.nist.gov/vuln/detail/CVE-2024-5165.

The issue was detected and reported by Manuel Sommer and Quirin Zießler and disclosed via the Eclipse Vulnerability Reporting process.
We like to thank them for the detection and the effort of reporting the affected input fields.

For any users of Eclipse Ditto who deployed also the Ditto Web-UI, we recommend updating the Web-UI.
If the Web-UI is not deployed, no action to update is needed, as the Ditto backend is not affected.